Outbound/Apply

Outbound/Apply

The outbound and administer commands ascendancy what cartage is accustomed to avenue the network.

The outbound command alone identifies cartage to be acceptable or denied.

The administer command puts the outbound account on an interface and absolutely causes

packets to be dropped.The aboriginal footfall to ascendancy outbound cartage is configuring

outbound to analyze the cartage to be filtered.The syntax for the outbound command

is:

outbound admittance | abjure [ [[-]]

[]

The list_id is an identifier that maps the cartage articular by the outbound

command to the administer command; list_id charge be a cardinal amid 1 and 99.

The admittance or abjure keywords specify whether the cartage articular by the outbound

command will be acceptable or denied, respectively.The ip_address parameter

specifies the cartage to be articular by the outbound command.The netmask

parameter is acclimated in affiliation with the ip_address constant to analyze target

IP abode ranges.The anchorage constant specifies a specific anchorage cardinal or ambit to

be articular by the outbound command.The agreement constant identifies specific

protocols (tcp, udp, etc.) and is affected to be ip if it is not specified.

The additional footfall is to administer the outbound account to an interface application the apply

command. Once activated to an interface, any approachable cartage to that interface is

denied by the associated outbound account will be dropped.The syntax for the apply

command is as follows:

apply [()] outgoing_src | outgoing_dest

www.syngress.com

110 Chapter 3 • Passing Traffic

The interface_name constant identifies the interface on which cartage will be

filtered with the associated outbound list. If no interface is specified, it defaults to

the alfresco interface.The list_id constant names the outbound account to use for filtering

outbound traffic. Unlike admission lists, assorted outbound lists can be applied

to an interface.These lists are candy starting at the everyman cardinal and

working upwards.This account is apprehend top to bottm and is cumulative.

The outgoing_src or outgoing_dest keywords ascertain how the administer command

uses the outbound list. If outgoing_src is used, the ip_address is a antecedent address. If

outgoing_dest is used, it is a destination address.

Returning to Secure Corp., the aggregation has absitively to bind admission from

its networks to the Internet.To ascendancy what advisers can access, the company

has absitively to abjure all packets from the aggregation to echo, chargen, and abandon services

on the Internet.They chose these ports because they are accepted ports for

attacking Internet servers.There is no acumen an agent should charge admission to

these casework on an alfresco host.

To achieve this task, actualize an outbound list. Configure this account to allow

all cartage through. Next, ascertain rules that abjure admission to the specific services.

Finally, administer the outbound account to an interface.The commands to achieve these

tasks are as follows:

PIX1(config)# outbound 20 admittance 0.0.0.0 0.0.0.0 0

PIX1(config)# outbound 20 abjure 0.0.0.0 0.0.0.0 echo

PIX1(config)# outbound 20 abjure 0.0.0.0 0.0.0.0 discard

PIX1(config)# outbound 20 abjure 0.0.0.0 0.0.0.0 chargen

PIX1(config)# administer (inside) 20 outgoing_src

Unfortunately, alike afterwards demography all these precautions, the aggregation receives a

complaint that an agent is attempting to admission a server on the Internet that

they should not.The IP abode of the Internet server that is actuality illegally

accessed is 10.10.1.10. A new outbound aphorism needs to be created. Since the company

can’t amount out which agent is causing the problem, instead of filtering

traffic by the antecedent address, use the administer command to clarify by the destination:

PIX1(config)# outbound 30 admittance 0.0.0.0 0.0.0.0 0

PIX1(config)# outbound 30 abjure 10.10.1.10 255.255.255.255 0

PIX1(config)# administer (inside) 30 outgoing_dest

www.syngress.com

Passing Cartage • Chapter 3 111

Another way to achieve this is to use the outbound command with the

except keyword.The except keyword reverses the outbound account administration for the

specified IP address. For example, if the aphorism defined antecedent addresses, except

would accomplish a specific destination be denied. In the above-mentioned example, instead of

creating a new outbound list, we could add an except constant to outbound list

20:

PIX1(config)# outbound 20 except 10.10.1.10 255.255.255.255 0

To verify your configuration, use the appearance outbound [list_id] command.

NOTE

It ability be adorable to block Java applets or ActiveX cipher arriving

from the Internet. The PIX supports this functionality. For more

information, accredit to Chapter 4, which provides abundant information

on URL, Java, and ActiveX filtering.